The present invention relates to data processor systems, and particularly to a processor unit for use with a general purpose data processor system, such as a personal computer. The invention is especially useful as a security unit to be attached to a computer and its peripheral units to enable the computer to perform various security functions in a manner which does not jeopardize the security information, and the invention is therefore described below with respect to such an application.
Security functions, such as encryption, decryption, the computation of a message authentication code (MAC), digital signature generation, public key certification, etc., are often performed in a dedicated processor unit to be attached to a general purpose computer. Such an attached processor isolates the secret data, e.g., keys and passwords, from the general purpose computer in a manner so as not to compromise the secured activities while permitting the general purpose computer to perform the non-secured activities. However, a general purpose computer, such as a PC (personal computer), provides a large set of possible ways of compromising the security, e.g., Trojan horse or virus software. Since the general purpose computer must be able to communicate with the security unit, and since the software of the general purpose computer is corruptible, it is possible to compromise secret information or to "trick" the security unit into performing improper operations involving security risks. Where the security unit may have special purpose I/O devices, such as a smartcard reader, the danger of compromising security is even increased.
Ideally, to minimize security risks, the following rules should be observed:
(1) Secret key operations should be performed in the privacy of the security unit to be attached to the general purpose computer, and not in the general purpose computer where such data may be compromised, e.g., by resident Trojan horse software; PA1 (2) The password or personal identification number (PIN) used to allow access to secret keys (via data encryption or other means) should not pass through the general purpose computer since, if this secret information is keyed into the general purpose computer, it may be compromised, e.g., by resident Trojan horse software; PA1 (3) There should be no opportunity of having data to be signed, encrypted or authenticated, being forged by resident Trojan horse software in the general purpose computer. This is of particular importance in the context of digital signatures. The corrupted general purpose computer may display one set of data on the display terminal, and may request that the attached security unit sign a completely different set of data. PA1 1. Such a system provides a large saving in cost because peripheral I/O devices (keyboards, displays, printers, etc.) need not be duplicated for the security unit; PA1 2. Such a system can also use the higher-quality peripheral devices generally provided for the computer unit, rather than the lower quality peripheral devices generally provided for the security unit; PA1 3. Such a system is more convenient for the user, in that the work area is not cluttered with extra but seldom used keyboards, displays, etc.; PA1 4. Such a system does not require an independent power supply for the security unit, since it can use the power line to the keyboard as a source of power; and PA1 5. Such a system requires no additional data link cables for communication, as data communication between the computer unit and the security unit can be done using the conventional keyboard, printer, video or other connections.
One way of addressing these problems is to provide the security unit with its own independent keyboard, display, printer, and/or other interface hardware components, such that the data processor system would have two keyboards in the immediate vicinity of the general purpose computer, two displays, etc., one for the computer and one for the security unit. However, such systems requiring the duplication of keyboards, displays, printers, etc., are very costly, are inconvenient to use because the work area is cluttered with extra but seldom used keyboards, displays, etc., require an independent power supply, and/or require additional data links.
It would therefore be highly desirable to provide a processor unit in general, and a security unit in particular, which may be used with a conventional computer unit, keyboard unit, etc., but which takes over control of the connecting lines between the computer unit and its perhipheral units. It would be particularly desirable to provide such a capability in a security unit so as to prevent the compromise of security information to be processed in the security unit.